v5.15.0-rc1

author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-05-01 10:35:02 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-05-04 20:22:53 +0200
commit: 6ebef2eb9a6a3630f9142fb040c3f87ba8eeac8e (patch)
tree: 82675cd6c62234f483d167fcadf31859721e56b0
parent: 821e71fded090d815b5cd396057ac9823874fe1f (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index 2b5cd58fb1..b7c8e8f824 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header)
     }
 
     // Don't overflow 32bit integers:
-    if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) {
+    if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) {
         qCWarning(lcIcc, "Failed tag count sanity");
         return false;
     }
@@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
     // Read tag index
     const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader));
     const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry);
+    Q_ASSERT(offsetToData > 0);
     if (offsetToData > data.size()) {
         qCWarning(lcIcc) << "fromIccProfile: failed index size sanity";
         return false;
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-05-01 10:35:02 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-05-04 20:22:53 +0200
commit	6ebef2eb9a6a3630f9142fb040c3f87ba8eeac8e (patch)
tree	82675cd6c62234f483d167fcadf31859721e56b0
parent	821e71fded090d815b5cd396057ac9823874fe1f (diff)